Decade-old vulnerability among 129 Patch Tuesday fixes

A decade-old bug in Windows Group Policy Objects (GPOs) – assigned CVE-2020-1317 – is among the vulnerabilities patched by Microsoft on yet another bumper Patch Tuesday, 11 of them rated critical.

First identified last year by researchers at CyberArk as part of a wider year-long project, it is described by its discoverers as a “game changer” for an attacker as it can be simply exploited by attackers to quickly move from local to highly privileged user status, opening the door to credential theft or further attacks.

“Practically every organisation uses Windows GPO to set policies for all types of machines from printers to back up devices. To function it must interact with many different components of the network, making it an important stress point and an ideal target for an attacker to help them strengthen their hold within an organisation,” said CyberArk’s Eran Shimony in a disclosure blog.

“Attackers can exploit this vulnerability to circumvent and change local group policy and evade existing security solutions like anti-malware, endpoint protection and more,” said Shimony. “It also dramatically reduces the attack cycle, allowing a relatively easy jump to gain privileged access to critical systems.” 

It affects any Windows machine made since 2008, potentially meaning hundreds of millions of devices may be at risk if not properly patched.

CVE-2020-1317 is just one of the more severe bugs fixed this month, out of 129 in total, making June’s Patch Tuesday yet another whopper. A total of 98 of them centre on Windows operating system (OS) and browser updates, with the remaining 31 spread across Office, SharePoint, Defender, Endpoint Protection, and developer tools including Visual Studio, ChakraCore and Azure DevOps.

Justin Knapp, Automox product marketing manager, said: “The June Patch Tuesday is not short of updates for the Microsoft ecosystem. From Windows OS to browsers, Sharepoint to SMBv3, the release of these 129 patched vulnerabilities goes to show that an organisation needs to have a proactive approach to endpoint hardening as these can add up month after month if left unaddressed.

“With many organisations continuing to stretch existing resources to support the last-minute pivot to a more distributed work model, attackers will look to target applications that are core to business operations.

“The shift to remote work introduced additional challenges and exposure for both IT and security operations, leading many to seek out more efficient, scalable endpoint management solutions that can keep pace with a constantly changing threat landscape.

“To proactively minimise the attack surface and reduce the workload on security operations, organisations need to move away from outdated endpoint solutions and adopt a much shorter mean time to hardening that keeps their endpoints ahead of the average seven days to weaponisation of vulnerabilities.”

Todd Schell, Ivanti senior product manager of security, said the shift to remote working during the Covid-19 coronavirus pandemic was now becoming a real headache for security teams patching their systems.

“Many companies are using patch management solutions that require a virtual private network [VPN] to keep updated. There are many solutions that can manage updates without the need for a VPN. Another difficulty companies are facing is user connectivity,” said Schell.

“I had a conversation with one company that is managing updates without needing to use a VPN to access the network. Their challenge is their users have low internet speeds. Monthly updates requiring hundreds of megabytes of patches (or gigabytes in some cases) become problematic as well.”